62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb

General

Target

86ef2a66c72c1d358578f09b15ae4dc0N.exe
Size

78KB
MD5

86ef2a66c72c1d358578f09b15ae4dc0
SHA1

b84d8932f011b1f3a2b923af8ae2a2359142a4a5
SHA256

62fff19daf26f0eabeb7f64b8261ce206b5568478bf26e56d49b7c6ecec26feb
SHA512

7ca899f0df1d3e605f2a7443e578fa382f091b0e5fd6f70f1287bd4315210a6373fae6283cd8da664e556a8d4f68332ce7d10be0214654f252f3833902547fe8
SSDEEP

1536:Yy58fXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96b9/Qd1W2:Yy58/SyRxvhTzXPvCbW2UI9/8

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp760.tmp.exe

pid process

2716 tmp760.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exe

pid process

2772 86ef2a66c72c1d358578f09b15ae4dc0N.exe
2772 86ef2a66c72c1d358578f09b15ae4dc0N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2716	tmp760.tmp.exe

pid	process
2772	86ef2a66c72c1d358578f09b15ae4dc0N.exe
2772	86ef2a66c72c1d358578f09b15ae4dc0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp760.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp760.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exevbc.execvtres.exetmp760.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86ef2a66c72c1d358578f09b15ae4dc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp760.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exetmp760.tmp.exe

description pid process

Token: SeDebugPrivilege 2772 86ef2a66c72c1d358578f09b15ae4dc0N.exe
Token: SeDebugPrivilege 2716 tmp760.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2772	86ef2a66c72c1d358578f09b15ae4dc0N.exe
Token: SeDebugPrivilege	2716	tmp760.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

86ef2a66c72c1d358578f09b15ae4dc0N.exevbc.exe

description	pid	process	target process
PID 2772 wrote to memory of 2560	2772	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 2772 wrote to memory of 2560	2772	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 2772 wrote to memory of 2560	2772	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 2772 wrote to memory of 2560	2772	86ef2a66c72c1d358578f09b15ae4dc0N.exe	vbc.exe
PID 2560 wrote to memory of 2932	2560	vbc.exe	cvtres.exe
PID 2560 wrote to memory of 2932	2560	vbc.exe	cvtres.exe
PID 2560 wrote to memory of 2932	2560	vbc.exe	cvtres.exe
PID 2560 wrote to memory of 2932	2560	vbc.exe	cvtres.exe
PID 2772 wrote to memory of 2716	2772	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmp760.tmp.exe
PID 2772 wrote to memory of 2716	2772	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmp760.tmp.exe
PID 2772 wrote to memory of 2716	2772	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmp760.tmp.exe
PID 2772 wrote to memory of 2716	2772	86ef2a66c72c1d358578f09b15ae4dc0N.exe	tmp760.tmp.exe

C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe
"C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ts34c9pg.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7FC.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2932

C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86ef2a66c72c1d358578f09b15ae4dc0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7FD.tmp
Filesize
1KB

MD5
cfcf918589824c4dce9d57f2faa458c6

SHA1
6df0fe99f1a6cd7c24b6fb258ca94e560f99b1df

SHA256
63ced3cfca33ad67e92fa7f969ff1ee1b3eaa2b3a22d6e1430e4eb83cc7796e3

SHA512
8c9dcf8dd6613bc1fc8fcb116ff1c4c3c754112e8ba0f03ecc95389fea02e913ffed9b64f03678c150ad855d7f915778ba68474a68a7f3683c5aad2de1e9c738

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe
Filesize
78KB

MD5
b0e56cf6c4259a9e55e4684871fb7c8f

SHA1
2fa49530943b0c97544aa6b2c24baab6c9d361d8

SHA256
599ec679fe77d6148a934ff7b2c0c8b4806a3652f304a257d0d7382e6e9043a3

SHA512
e7d0a78176c0ac500f169cfa66ce365db78a31ce8f99f42bb35af27290671bb4f591a37f0f9808f05d731236ee9ba882bede56291b71068776f68989057118e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ts34c9pg.0.vb
Filesize
14KB

MD5
a2e80cfae374b87aba44a6fbb10fed90

SHA1
deb0a4f9c757c80bbe0bf3fec1dd614913959ec8

SHA256
724efa82ba8b15e2b7800d0e378d915a90267216401901c190eebf8f1287c84c

SHA512
fd02a0490d14373048aa39238f7cc87acdb69e765645695cc6d180ead45e0760ff3d0ae5f41350aee00b5ce676c8e1bddf248546fd127350e2b3e39313374e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ts34c9pg.cmdline
Filesize
265B

MD5
06020ad8f4269f44e3a8b29349c068d7

SHA1
e8324cbc2c9e7c9af56520ee9f248aa54b0ab51e

SHA256
cad663a3623e1414517ae38a74dbbe239e1199d2d1c98219d1bf25e4d133637d

SHA512
5cb6ad8640f3da997ff802fdabf0c7fb814a6664b13543c730395f1da8f5df3e9b7164d64c31cf469f5dd77c13430fd07cc9ab1bd9339f99c2e54317cb3ad7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7FC.tmp
Filesize
660B

MD5
13919ca909b3c480200a1541961ef351

SHA1
53ebe955f84b543d17eac71d2421414f3a620a52

SHA256
599a0159cd645ca31365dfd70d1e26f4819a5a547f210c6261f18a85e82ded35

SHA512
af57a372e925940cb61e91699a42a571599ed8da033cf2f9dadd436154f6200a84d2ac1db2a7d4f51c2bc1a634b200040856c222e299eaf5ac0a03150d651fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2560-9-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-18-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-0-0x00000000743B1000-0x00000000743B2000-memory.dmp

Filesize
4KB

Download
memory/2772-1-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-2-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-24-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads